Pandora, other app makers subpoenaed over user data collection

Pandora has revealed that it received a federal grand jury subpoena asking for …

A federal grand jury has opened an investigation into mobile apps and what kind of personal data they might transmit about users, Pandora has revealed. The streaming music company recently amended its S-1 filing with the Securities and Exchange Commission (SEC) to note that it had been subpoenaed to produce documents about its user data collection on Android and iOS devices, which the company believes is related to an industry-wide probe into how mobile apps capitalize on user information.

"[I]n early 2011, we were served with a subpoena to produce documents in connection with a federal grand jury, which we believe was convened to investigate the information sharing processes of certain popular applications that run on the Apple and Android mobile platforms," Pandora wrote in its filing. "While we were informed that we are not a specific target of the investigation, and we believe that similar subpoenas were issued on an industry-wide basis to the publishers of numerous other smartphone applications, we will likely incur legal costs related to compliance with the subpoena, management’s attention could be diverted and there is no guarantee that we will avoid costly litigation."

According to a "person familiar with the matter" speaking to the Wall Street Journal, the purpose of this grand jury investigation is to find out whether app makers fully describe to users the kinds of information they need, such as geolocation data or a device's unique identifier, and why they need it. Though most other app makers have not publicly commented on the subpoena, the creator of an iOS app called "Pumpkin Maker" told the Journal that he also got a subpoena that requested documentation about the workings of his app.

The investigation may have been sparked by an October 2010 report out of Bucknell University, which said that a majority of iOS apps transmit user data back to their own servers, and that (in some cases) it was an easy task to piece together enough information to identify a user. Just a couple months after that report came out, Apple and several app developers faced a class-action lawsuit over user data collection.

Apple has historically claimed that it effectively anonymizes data that it collects and does not share any of that data with advertisers. However, according to research conducted by the Wall Street Journal last year, data such as location, age, gender, and even sexual orientation or political views are often collected and sent back to Apple, developers, and ad networks themselves.

As Pandora noted in the SEC filing, the focus of the grand jury investigation isn't just limited to Apple or iOS apps—Android apps are beginning to come under fire for the same reasons, and we wouldn't be surprised to hear the same of other mobile platforms that have their own app stores. The investigation appears to be in its early stages and may not result in any charges, though, which seems to be the hope of Pumpkin Maker developer Anthony Campiti.

"They're just doing information-gathering to get a better understanding [of what apps are doing]," Campiti told the Journal. "We're not doing anything wrong and neither is anyone else doing anything wrong."

That's a pretty bold statement, though Pandora also argues that it needs the information it collects so that it can deliver personalized music streams to users. Still, someone in law enforcement is suspicious of the level of information collected and whether users were notified, and developers that are found guilty of misleading users may face federal fraud charges.

22 Reader Comments

I haven't given Pandora any information besides the IP address I connect to it with. It’s a pretty simple task to create an account without any personal or identifying information in it for the more savvy internet user.

You can see that they have access to the device's phone number and serial number. Sounds pretty personal to me! And yeah, tons of apps require this, it is non-optional to use the app, and we ignore the warning every day. What's a consumer to do?

Of course, if you just use Pandora via web browser, a) this article doesn't apply, and b) there are other ways for them to collect data (not that I'm accusing Pandora in particular... but some data about the browser, and about browsing habits, well beyond the IP address, is fairly easy to collect, especially for a flash site).

You can see that they have access to the device's phone number and serial number. Sounds pretty personal to me! And yeah, tons of apps require this, it is non-optional to use the app, and we ignore the warning every day. What's a consumer to do?

Of course, if you just use Pandora via web browser, a) this article doesn't apply, and b) there are other ways for them to collect data (not that I'm accusing Pandora in particular... but some data about the browser, and about browsing habits, well beyond the IP address, is fairly easy to collect, especially for a flash site).

And that is why I haven't updated my Android Pandora. It's still sitting at whatever the last version was before they wanted all your contact information. There is no way in hell they should ever need that data, so I refuse to update it.

I haven't given Pandora any information besides the IP address I connect to it with ...

You are joking, right? Your computer's IP address, combined with the selection of music you listen to means that they have a very good idea of your age, sex, average income, heck, in some specialized cases (= neighborhoods) even political orientation.

Is all this information guaranteed to be 100% reliable? No, of course not – that's not the point. The point is to get the majority of users profiled properly, not the odd dork out.

And Pandora's outrageous fishing expedition among your personal data is why I don't use it. Or for that matter, any other app that wants full internet access, GPS location, the right to send emails as if they were me or any number of other nuggets.

I don't have many apps, and I paid for most of them. That seems fair to me... developers want to pay the bills, too.

I'm happy to see such investigation. I think that mobile developers collect way too much information, giving very little guarantees on how those data will be handled.They need to realize that they can't do whatever they wants with users' data and that there is a control over their actions.

On a semi-related note, when did Pandora stop blocking non-US IPs? For the first time since ~2008, I have no problems accessing it, it recognized my account from years past, and I'm listening to the radio station I made years ago. Looking for any news on the unblocking I have unexpectedly missed, and I can't find anything. Wikipedia still purports non-US IPs are blocked.

On a semi-related note, when did Pandora stop blocking non-US IPs? For the first time since ~2008, I have no problems accessing it, it recognized my account from years past, and I'm listening to the radio station I made years ago. Looking for any news on the unblocking I have unexpectedly missed, and I can't find anything. Wikipedia still purports non-US IPs are blocked.

Pandora blocks IP's from any country where they don't have the proper rights agreements setup with the content holders. It's not about being outside the US, it's a matter of them having the legal stuff taken care of for whatever region you're in. Sometimes there are local laws that get in the way on top of copyright issues.Without knowing where you are, I can't speculate as to why it suddenly freed up.

Side note- do NOT rely on the Wikipedia for information. The Wiki is a collection of citation links with a summary article, it is NOT a source of record. Go to the bottom of the page, follow the citation links, and get the info from the source. You will often be surprised at what passes as a "reputable source" on Wikipedia.

And Pandora's outrageous fishing expedition among your personal data is why I don't use it. Or for that matter, any other app that wants full internet access, GPS location, the right to send emails as if they were me or any number of other nuggets.

I don't have many apps, and I paid for most of them. That seems fair to me... developers want to pay the bills, too.

Exactly how do you plan on streaming music, if you don't give it access to a connection that allows them to reach the servers?

How do you expect them to be able to know who you are, and thus what your playlists are, without having a unique ID like your phone or device number?

How do you expect them to know that you're inside a country they are legally allowed to stream to, if they don't have access to the GPS? IP address alone is not always enough to guarantee that you are within a country they CAN stream to.

I often see complaints like yours on the marketplace comments. A whole bunch of people left nasty comments on an app which was an email client- they were mad that it wanted access "to send emails and view the contact list." There was software that provided some pretty in-depth system information, and people wanted to know why it needed access to various things. Duh, it can't tell what that part of the system is if you block it.

Pandora uses IP as a means of identifying countries it streams legally to (and block IPs it can't) but that is not enough (due to proxy) so on devices with additional access either to cell tower location services, wifi location, or GPS, they additionally track that. On iOS, access to the location service API is reported, so clearly users are notified, as well as those who enter their home address/contact information during registration (again used to additionally clarify nation of origin of the user, and to note conflict when too many registrations key off the same address or nonexistent ones. It may also be possible that Pandora pays lower license rates on additional users in the same household, but I doubt that.

As for additional uses of GPS, not all advertisements are national, and access to GPS information allows Pandora to target your device with adds that might pertain to the locality. Age knowledge allows them to target age appropriate ads (geico doesn't need to be advertised to 15 year olds, nor does the AARP need to be advertised to 30-something's).

PII (personally identifiable information) is clearly defined in law. Age (not birthday), Sex, location (your street address is most commonly public information and is also listed in tax records, and is therefore not protected), and more is not protected information and can be collected at will. In many cases, even your first or last name (but not both) is also not protected. More detailed information can also be collected so long as it is anonnimized or only used for account validation/customer tracking but not advertising, and if it is properly secured to government security audit standards.

Pandora discloses much of their collection online, and the TOS is pretty clear, and on iOS at least you;re instantly notified (and can block access to) most of that data other than what is required online. Since they're ad based, collecting some more detailed yet generic demographics data IS a means of business, as granular data and targeted ads pay more money and thus improve their operational costs/profit margin. It can absolutely be seen as necessary. Additional optional information is not distributed to advertisers or used internally other than for licence validation (which the content providers enforce collection of).

I often see complaints like yours on the marketplace comments. A whole bunch of people left nasty comments on an app which was an email client- they were mad that it wanted access "to send emails and view the contact list." There was software that provided some pretty in-depth system information, and people wanted to know why it needed access to various things. Duh, it can't tell what that part of the system is if you block it.

The issue isn't any of the ones you listed (ip, phone serial). The issue is that the Android version of Pandora wants full access to your contact book. This is no way at all required for the application to work. This is why people are complaining about it, and what the subpoena is about.

The exact text quoted on my phone when it asks me to update (and warns about an updated access policy):

There is no reason why any company should be allowed to collect ANY date on their customers. Oh yeah, its because they are greedy buggers who will do anything to squeeze every cent that they can out of you.